The Fast Mode spoke to Asaf Darash, Founder and CEO of Regpack on new encryption technologies and their impact on today's networks. Asaf joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How important is encryption for today’s applications?
Asaf: It is critical. About ten years ago there was a heated debate between business leaders and technology enthusiasts about if the SaaS industry will be able to penetrate the business world and whether cloud applications will be used by enterprise-level organizations. We all know how that turned out. Today businesses shy away from anything that demands they have their own hardware or anything that requires any installation. The heated debate centered on the level of security these applications offer and if they can be trusted.
The security concern is not without merit. We have all heard about, or even been part of, large data breach events. This is where the importance of encryption is most prominent. Encrypting data as it moves between the user and the servers is essential. Alas, many organizations still do not encrypt their data "at rest". Most of the time, data is "at rest", meaning it is sitting in a database or a storage unit waiting for it to be used or called. At very short timespans, it is moving from the database to the application and back. Obviously, as it is moving, it is most vulnerable hence it must be encrypted. As it is in rest it is also vulnerable to breaches and possible database hacking. The solution to this lies in encrypting data at rest. This means that as the data is sitting in the database, it is actually encrypted so that even if the database is stolen, the data is not accessible. This type of encryption is at the data storage level and adds an additional layer of security. But many applications go a step further today: since beaches normally happen within the cloud network, it is possible that the hackers might also have access to the data storage encryption keys. To resolve this concern, a more advanced method of encryption has been implemented on personal identifying information and other sensitive data: to encrypt the data with a unique key per data unit and then save it already encrypted into the database. This approach was common with passwords yet has been extended as computer power has grown. This type of encryption creates a very high level of security since in order to access the sensitive information, the hacker would need access to the database, the application, and the keys. All at the same time. It is common practice to have different layers and different types of security for each of these hence the probability of a beach at all these levels is low. Considering that stolen information is a death sentence for most enterprise-level applications, encryption at rest should become the norm and not the exception. It presents its unique challenges yet the damage of stolen "at rest" information is too great to overlook this opportunity to mitigate the risk.
Tara: What are some of the benefits of encryption?
Asaf: Encryption offers a number of benefits to cloud software builders and owners. First, I would like to emphasize that there are many types of encryption. The one I am referring to is encryption at rest. This is when information is encrypted at the application level and transferred and saved in the database as an encrypted unit. This offers two main benefits for users and application builders.
First, it creates a higher level of security for sensitive data. Breaches have become common, and they are still a death sentence to most companies. Especially if financial or sensitive information is stolen. Encrypting the data in the database ensures that even if the data is stolen, it is not accessible to hackers. In order to access the information hackers would need access to the database, application source code and encryption key structures. All which should be saved in different locations and with different security measures connected to them.
Second, in spite of the public image that breaches happen by computer wizards in dark rooms on the other side of the planet, the truth is that most breaches and stolen data are internal. This means it is an employee or a supplier that has access to the data and steals it with malicious intent. The problem is all the more prominent with development teams that have very few restrictions on what they can access. Encrypting data at rest allows a disconnect between the data accessibility and the DBA team. As the data is encrypted at the code level when it reaches the database, it is not usable without the application code. This means it is very hard for an employee to steal large amounts of sensitive data if at all as they would need access to database, source code, and encryption keys. Access to all three should never happen and is very rare. Obviously, this methodology creates complications such as how to allow search functionality and aggregation but this is why this is normally set only on sensitive data that would cause the clients and the application supplier major damage if exposed.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
